CVSS: 9.1EPSS: 0%CPEs: 18EXPL: 0CVE-2017-12249
https://notcve.org/view.php?id=CVE-2017-12249
A vulnerability in the Traversal Using Relay NAT (TURN) server included with Cisco Meeting Server (CMS) could allow an authenticated, remote attacker to gain unauthenticated or unauthorized access to components of or sensitive information in an affected system. The vulnerability is due to an incorrect default configuration of the TURN server, which could expose internal interfaces and ports on the external interface of an affected system. An attacker could exploit this vulnerability by using a TURN server to perform an unauthorized connection to a Call Bridge, a Web Bridge, or a database cluster in an affected system, depending on the deployment model and CMS services in use. A successful exploit could allow the attacker to gain unauthenticated access to a Call Bridge or database cluster in an affected system or gain unauthorized access to sensitive meeting information in an affected system. To exploit this vulnerability, the attacker must have valid credentials for the TURN server of the affected system. • http://www.securityfocus.com/bid/100821 http://www.securitytracker.com/id/1039357 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170913-cmsturn • CWE-16: Configuration CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2016-1451
https://notcve.org/view.php?id=CVE-2016-1451
Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Meeting Server (formerly Acano Conferencing Server) 1.7 through 1.9 allows remote attackers to inject arbitrary web script or HTML via crafted parameters, aka Bug ID CSCva19922. Vulnerabilidad de XSS en la interfaz de administración basada en web en Cisco Meeting Server (anteriormente Acano Conferencing Server) 1.7 hasta la versión 1.9 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de parámetros manipulados, también conocido como Bug ID CSCva19922. • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-ms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •